As organizations use more cloud services and resources, they become responsible for a staggering variety of administrative consoles, assets, services and interfaces. Cloud computing is a large and often interconnected ecosystem of software-defined infrastructure and applications. As a result, the cloud control plane -- as well as assets created in cloud environments -- can become a mishmash of configuration options. Unfortunately, it's all too easy to misconfigure elements of cloud environments, potentially exposing the infrastructure and cloud services to malicious activity.
Let's take a look at the four most common cloud configuration misconfigurations and how to solve them.
1. IAM policy misconfigurations
Among the catalog of cloud misconfigurations, the first one that trips up cloud tenants is overly permissive identity and access management (IAM) policies. Cloud environments usually include identities that are human, such as cloud engineers and DevOps professionals, and nonhuman -- for example, service roles that enable cloud services and assets to interact within the infrastructure. In many cases, there can be many nonpeople identities in place. These can frequently have overly broad permissions that may allow unfettered access to more assets than needed.
To combat this issue, be sure to do the following:
- Centralize identity and access wherever possible, and carefully define how to approach the creation and lifecycle of identities and groups. One option is to build and implement centralized cloud IAM teams to focus explicitly on this area of cloud security.
- Enable multifactor authentication for all privileged human user accounts.
- Perform regular reviews of all identity roles and policies using cloud-native services, such as AWS IAM Access Analyzer, or third-party products that continually evaluate privileges and flag any that may be excessive.
2. Cloud storage misconfigurations
Another typical misconfiguration revolves around exposed and/or poorly secured cloud storage nodes. Organizations may inadvertently expose storage assets to the internet or other cloud services, as well as reveal assets internally. In addition, they often also fail to properly implement encryption and access logging where appropriate.
To ensure cloud storage is not exposed or compromised, security teams should do the following:
- Continually look for any storage nodes labeled as public.
- Monitor all internal storage access patterns to eliminate overly permissive or exposed access that's unnecessary.
- Enable strong encryption and key rotation for sensitive data within cloud storage nodes. Many cloud services enable strong encryption by default.
3. Network access control misconfigurations
Overly permissive cloud network access controls are another area ripe for cloud misconfigurations. These access control lists are defined as policies that can be applied to cloud subscriptions or individual workloads.
To mitigate this issue, security and operations teams should review all security groups and cloud firewall rule sets to ensure only the network ports, protocols and addresses needed are permitted to communicate. Rule sets should never allow access from anywhere to administrative services running on ports 22 (Secure Shell) or 3389 (Remote Desktop Protocol).
4. Workload and image misconfigurations
Vulnerable and misconfigured workloads and images also plague cloud tenants. In some cases, organizations have connected workloads to the internet accidentally or without realizing what services are exposed. This exposure enables would-be attackers to assess these systems for vulnerabilities. Outdated software packages or missing patches are another common issue. Exposing cloud provider APIs via orchestration tools and platforms, such as Kubernetes, meanwhile, can let workloads be hijacked or modified illicitly.
To address these common configuration issues, cloud and security engineering teams should regularly do the following:
- Update workload images with patches and configuration hardening controls using the Center for Internet Security benchmarks and other industry best practices. New and updated workloads should then be started using these images.
- Scan and review all workloads for vulnerabilities.
- Ensure cloud orchestration tools and APIs for containers and other PaaS workloads are not exposed or providing more access than necessary, particularly on the internet.
Using guardrail services to solve misconfiguration issues
Guardrail tools can help companies avoid cloud misconfigurations. All major cloud infrastructure providers offer a variety of background security services, among them logging and behavioral monitoring, to further protect an organization's data.
In some cases, configuring these services is as easy as turning them on. Amazon GuardDuty, for example, can begin monitoring cloud accounts within a short time after being enabled.
While cloud environments may remain safe without using services like these, the more tools an organization puts in place to safeguard its operations, the better chance it has to know if an asset or service is misconfigured.